Category Archives: OPSEC

What to Secure…

encryptionRecent News articles detailing the NSA surveillance monitoring has shown to extend to other countries and that of their high-level officials. A more recent article states the following:

“The U.S. monitored the phone conversations of 35 world leaders, according to a National Security Agency document provided by its former contractor, Edward Snowden, according to The Guardian newspaper.”

Although most people cannot communicate using secure phone calls, it does raise the importance that the data be what is secured, not just the mode of transport. A phone call or even Internet usage should not be considered secure. There are numerous hops and intermediary systems that connect the signal being used. Each of those points of connection are a potential point of surveillance. Add the additional discoveries regarding ATT, Verizon, and other carriers, the expectation of privacy should no longer be expected.

This means that only the data, if encrypted or secured, provides the potential expectation of privacy. Insuring securing data at rest and during transport is critical to insure privacy. It may take more time and resources, but in an age of “continuous monitoring” of everything, it is the best way to provide the assurance most people and businesses desire.

Tagged , , , , , , , , ,

IPS Grows Up But IDS On Life Support?

In the November 2012 issue of SC Magazine (Pg 26-28) titled “IPS Grows Up”, an article by Fahmida Rashid discusses some of the changing landscape for intrusion protection systems with a variety of experts. There are a variety of interesting topics and statistics regarding IPS such as the following:

While IPS won’t be able to block attacks exploiting zero-day vulnerabilities or thwart skilled adversaries using sophisticated tactics, it should “prevent 99 percent of push-button or automated attacks, Al-Abdulla says.”

While many can agree with that statement, what probably would not receive a great deal of agreement was the following statement within the article:

Holden predicts IDS will “fall by the wayside” in the next three to five years.

While it is understood that IDS is not detective rather than reactive, but one of the things that many businesses and agencies have a hard time tuning IPS in a way that there will not be any issues with mission or business critical traffic. The thought that IDS will no longer be necessary seems very short-sighted and limited. Granted most IPS devices are also IDS, but if defense in-depth is still a valid concept and that risk is a business decision, then IDS will remain in use for the foreseeable future.

Tagged , , , , , , , , , ,

Cyber Pearl Harbor or Just Cyber Space…

There has been a lot of news recently about the potential for the coming Cyber Pearl Harbor. A cyber attack that would mirror the devastation that hit the naval base in Pearl Harbor during the beginning of WWII. According to an article in CSO Magazine on October 18, 2012, the United States is concerned of a coming cyber attack. The concept of comparing the attack to Pearl Harbor has been around for several years. It wasn’t until a recent a speech by U.S. Secretary of Defense Leon Penetta in New York that this has become more of a topic.

The article states the following:

The results of cyberttacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid “could be a cyber Pearl Harbor — an attack that would cause physical destruction and the loss of life,” Panetta said. “In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”

Panetta also invoked the image of a cyberattack on the level of 9/11. “Before September 11, 2001, the warning signs were there. We weren’t organized. We weren’t ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment,” he said.

In a follow-up article in CSO Magazine November 7th, the opposing viewpoint was brought forth. Many in the security industry feel that the concept and description of a Cyber Pearl Harbor is nothing more than hot air. Experts including Bruce Schneier have chimed in. Bruce has reduced the extent to which he believes the concept to be exaggerated but according to he article:

Critics argue argue that not only is the threat of a catastrophic cyberattack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to “build security in” to the control systems that run the nation’s critical infrastructure.

Bruce Schneier, author, Chief Technology Security Officer at BT and frequently described as a security “guru,” has not backed off of his contention made at a debate two years ago that the cyber war threat “has been greatly exaggerated.” He said that while a major attack would be disruptive, it would not even be close to an existential threat to the U.S.

“This [damage] is at the margins,” he said, adding that even using the term “war” is just a, “neat way of phrasing it to get people’s attention. The threats and vulnerabilities are real, but they are not war threats.”

The reality is that it is probably somewhere in the middle of the two viewpoints. It can be likened to the Y2K issue a little over a decade ago. The world was going to come to an end and the dark ages would re-emerge. The reality was that preparation help minimize what little impact there may have been. Security is a risk decision, but most risk decisions are defensive in nature. The other decision of a preemptive cyber capability is another aspect of the decision-making that needs to be addressed. Should the U.S. begin cyber strikes on perceived threats? What is the impact of doing this on the long-term? The world has already seen a small view of what can be done with Stuxtnet and will these type of state-sponsored cyber attacks the new nuclear deterrent…that is yet to be seen.

Regardless of the direction that gets taken, business needs to look at potential cyber attacks/hacks as a real potential threat and determine what risk is willing to be accepted and what will need to be mitigated. Whether the issue is the size of a country or your home computer, measure twice, cut once is still the best direction.

Tagged , , , , , , , , , , , , , , ,

South Carolinas’s Majority of Social Security Numbers Exposed…

In an article in Dark reading, South Carolina officials announced that more than three-quarters of the states social security numbers were exposed in a recent hack. The data included debit and credit card information for the states residents as well. The most concerning issue was that the database that was compromised was not encrypted. As a state agency, it should have been an example to follow rather than one to avoid. The state’s Department of Revenue should have been held to not only federal regulatory requirements, but also PCI. This type of failure is not acceptable.

While not everything has been released as to the cause other than the database was breached and not encrypted, the article states the following:

Although state officials referred to the hack as a “database” breach, they didn’t specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. “That’s the simplest way in,” he says.

It is easy to make conjecture about how the breach occurred, but it would seem that the necessary due diligence was not followed. Security should be more than a check-box. States and Federal governments should be setting the examples for the rest of business…Another instance where measure twice and cut once should have been put in place…

Tagged , , , , , , , , , , , , ,

Weather To Have Security or Not…

Millions of people are feeling the effects of Hurricane Sandy along the East Coast of the United States. Natural disasters occur all the time all of over the world, but many times some of the basic precautions do not get addressed in advance. Many will ask how this topic deals with technology or security, but the answer is simple…it just does. Most businesses will have a process or procedures if a server crashes or the phone system or Internet goes out for a couple of hours, but how many businesses address the longer term impacts of flooding or the fact that your cloud provider lost one or more of its data centers.

The reality is that business continuity planning and disaster recovery planning should include these types of scenarios. Scenarios and planning for short and long-term outages. Whether it is an earthquake, tornado/hurricane, or flooding, the planning needs to be there and how it could impact your business from a safety and financial stand point. If you take this recent storm as an example, many businesses lost power and will be flooded for days potentially having a strong negative impact for their customers. In fact, the NYSE closed for multiple days as a result of the storm and that has not occurred for weather related issues since the early 1900s.

The bottom line is to plan. Make business continuity and disaster recovery a part of your process and then also test those processes. The last thing your business needs during an outage is to go to a process that does not work or has never been tested. Now we know that security and business has to evaluate risk. If not being prepared is an acceptable risk, then that is the business decision you will need to make…

Tagged , , , , , , , , , , , , , , , ,

Are You Satisfied With Nothing…

Are you a small business? Are you satisfied with your customer and business data security? According to a recent survey of small businesses by Symantec and National Cyber Security Alliance, 86% state that they are. In an article in SC Magazine published 10/22, some of the interesting details of the survey are discussed.

According to the article, even those 86% are satisfied with the level of security protecting the customer and business data of their businesses. In addition, 77% of those small businesses surveyed believe that their business is safe from any breach. According to the article about the survey, the following is what is most concerning:

However, 87 percent of respondents have not written a formal security policy for employees, 83 percent lack any security blueprint at all and 59 percent have no plan in place to respond to a security incident.

These statistics are very concerning. If you take this survey of 1,015 small businesses (250 employees or less) as a reasonable grouping of all small businesses this survey is frightening. Even if you take it with a grain of salt, it is scary that no planning is being put in place for most. One can only assume why a business would not put a plan, even one that is basic, in place. Is it the cost of security or the thought that “this business is too small to be hit” mindset? What ever the rationale used to make the decision, it was a decision to accept that risk of compromise and breach, but as more and more businesses begin to use cloud services and other mechanism on the Internet, they are turning from an obscure local “mom and pop” business to one with a larger footprint that can span the globe.

Preparation is always a wise decision. Regardless if you document that you buy the top of the line next-gen firewall and intrusion protection system or just change the Linksys encryption from WEP to WPA-2 and change the default admin password, the documented plan is a step in the right direction. Remember it is important to measure twice and cut once.

In closing the following quote is something for everyone to consider:

“Invincibility lies in the defence; the possibility of victory in the attack.” — Sun Tzu

Tagged , , , , , , , , , , , , , ,

Phishing for HTML 5…

The blog, Feross.org, posted a good article on using HTML5 for phishing on Oct 8th. Now, to most security professionals, this type of attack will be easily bypassed, but this type of attack is meant for the same group fo people who help feed the African Prince that is trying to pay you by transferring his money through your bank account. In addition, this also targets those people who do not validate the websites they go to or allow scripting on all sites.

This article could be used to help educate, although in a highly technical way, users in how to look for and prevent the success of this type of attack. It is important that all the technical defenses applied to a network or system can be circumvented by uneducated or unaware users that do not practice proper security principles.

Tagged , , , , , , , , , , , , , , , , ,

Zero-Day Attacks Last Longer Than Zero…

Research from Symantec has been published in ACM on October 16. The research, which was also referenced in articles in SC Magazine and Dark Reading, looks at the amount and duration of zero-day attacks. Specifically:

A zero-day attack is characterized by a vulnerability that is exploited in the wild before it is disclosed, i.e., t0 > te. Similarly, a zero-day vulnerability is a vulnerability employed in azero-day attack. Our goals in this paper are to measure the prevalence and duration of zero-day attacks and to compare the impact of zero-day vulnerabilities before and after t0.

The research within the paper has some important considerations to business and the need for effective patching and defense-in-depth within the enterprise. Specifically, the paper found the following conclusion:

Zero-day attacks have been discussed for decades, but nostudy has yet measured the duration and prevalence of these attacks in the real world, before the disclosure of the corresponding vulnerabilities. We take a first step in this direction by analyzing field data collected on 11 million Windows hosts over a period of 4 years. The key idea in our studyis to identify executable files that are linked to exploits of known vulnerabilities. By searching for these files in a dataset with historical records of files downloaded on end-hosts around the world, we systematically identify zero-day attacks and we analyze their evolution in time.We identify 18 vulnerabilities exploited in the wild before their disclosure, of which 11 were not previously known to have been employed in zero-day attacks. Zero-day attacks last on average 312 days, and up to 30 months, and they typically affect few hosts. However, there are some exceptions for high profile attacks such as Conficker and Stuxnet, which we respectively detected on hundreds of thousands and millions of the hosts in our study, before the vulnerability disclosure. After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude. These findings have important implications for future security technologies and for public policy.

Based on these findings, it will be interesting to see if the various technology vendors, programmers, and business will take this to heart and work harder in getting less vulnerable software and systems to market. Follow on research from this paper could be to evaluate the cost impact associated with zero-day attacks or vulnerabilities that were left unpatched. The reality is that security is about risk acceptance and in some cases the cost may be deemed an acceptable risk by some businesses.

Tagged , , , , , , , , , , , , ,

Taking the Hacker and Heading Home…

Many may have heard of the ongoing dispute between England and the United States about the pending extradition of British hacker Gary McKinnon. Well the wait is over, the British Home Secretary Theresa May in an announcement yesterday before Parliament stated that she would block the extradition of Gary McKinnon. She based her decision on the several medical examinations and his Asperger’s Syndrome diagnosis. He has been charged by the United Stated for hacking into highly classified Pentagon computer systems, for what McKinnon alleges in search of proof of extraterrestrial evidence.  USAToday.com has a good article on the coverage.

According to the article:

Officials in Washington expressed disappointment at the outcome, and State Department spokeswoman Victoria Nuland said the decision meant McKinnon would not “face long overdue justice in the United States.”

British prosecutors will now decide if he should face charges in the U.K.

There has also been discussion that England will also renegotiate the extradition treaty to make it harder for British citizens to be extradited to the United States.

Tagged , , , , , , , , , ,
%d bloggers like this: